Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations

Full Text (PDF, 336KB), PP.1-11

Views: 0 Downloads: 0

Author(s)

Wenjun Fan 1,* Kevin Lwakatare 2 Rong Rong 3

1. Department of Telematics Engineering, ETSI Telecommunication Technical University of Madrid, Madrid, Spain

2. Department of Computer Science, TUT Centre for Digital Forensics and Cyber Security Tallinn University of Technology, Tallinn, Estonia

3. IE Business School, Madrid, Spain

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2017.01.01

Received: 4 May 2016 / Revised: 10 Sep. 2016 / Accepted: 11 Oct. 2016 / Published: 8 Jan. 2017

Index Terms

Social Engineering, Semantic Attacks, Information Security, Data Privacy, Hacking Techniques, Human Weaknesses

Abstract

Social engineering is the attack aimed to manipulate dupe to divulge sensitive information or take actions to help the adversary bypass the secure perimeter in front of the information-related resources so that the attacking goals can be completed. Though there are a number of security tools, such as firewalls and intrusion detection systems which are used to protect machines from being attacked, widely accepted mechanism to prevent dupe from fraud is lacking. However, the human element is often the weakest link of an information security chain, especially, in a human-centered environment. In this paper, we reveal that the human psychological weaknesses result in the main vulnerabilities that can be exploited by social engineering attacks. Also, we capture two essential levels, internal characteristics of human nature and external circumstance influences, to explore the root cause of the human weaknesses. We unveil that the internal characteristics of human nature can be converted into weaknesses by external circumstance influences. So, we propose the I-E based model of human weakness for social engineering investigation. Based on this model, we analyzed the vulnerabilities exploited by different techniques of social engineering, and also, we conclude several defense approaches to fix the human weaknesses. This work can help the security researchers to gain insights into social engineering from a different perspective, and in particular, enhance the current and future research on social engineering defense mechanisms.

Cite This Paper

Wenjun Fan, Kevin Lwakatare, Rong Rong, "Social Engineering: I-E based Model of Human Weakness for Attack and Defense Investigations", International Journal of Computer Network and Information Security(IJCNIS), Vol.9, No.1, pp.1-11, 2017. DOI:10.5815/ijcnis.2017.01.01

Reference

[1]Hossein Bidgoli. Handbook of Information Security, Information Warfare, Social, Legal, and International Issues and Security Foundations (Handbook of Information Security). John Wiley & Sons, Inc., New York, NY, USA, 2006.
[2]Ji-Xuan Feng and Janet Hughes. Analyzing privacy and security issues in the information age - an ethical perspective. WSEAS Trans. Info. Sci. and App., 6(1):126–135, January 2009.
[3]RC Joshi and Anjali Sardana. Honeypots: a new paradigm to information security. CRC Press, 2011.
[4]Kevin D Mitnick and William L Simon. The art of deception: Controlling the human element of security. John Wiley & Sons, 2011.
[5]Verizon RISK Team. 2015 data breach investigations report. 2015.
[6]Ponemon Institute. The cost of phishing and value of employee training, Aug 2015.
[7]Symantec Enterprise. Internet security threat report 2015, 2015.
[8]Christopher Hadnagy. Social engineering: The art of human hacking. John Wiley & Sons, 2010.
[9]Ian Mann. Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd., 2012.
[10]A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr. Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing, 1(1):11–33, Jan 2004.
[11]Simon Hansman and Ray Hunt. A taxonomy of network and computer attacks. Computers & Security, 24(1):31 – 43, 2005.
[12]Chris Simmons, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, and Qishi Wu. Avoidit: a cyber attack taxonomy. Technical Report CS-09-003, University of Memphis, Aug 2009.
[13]RP Van Heerden, Barry Irwin, ID Burke, and L Leenen. A computer network attack taxonomy and ontology. International Journal of Cyber Warfare and Terrorism (IJCWT), 2(3):12–25, 2012.
[14]Katharina Krombholz, Heidelinde Hobel, Markus Huber, and Edgar Weippl. Advanced social engineering attacks. Journal of Information Security and Applications, 22(C):113–122, June 2015.
[15]Ryan Heartfield and George Loukas. A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks. ACM Comput. Surv., 48(3):37:1–37:39, December 2015.
[16]CERT-UK. Common cyber attacks: Reducing the impact, 2015.
[17]Francois Mouton, Louise Leenen, and H.S. Venter. Social engineering attack examples, templates and scenarios. Computers & Security, 59:186 – 209, 2016.
[18]Marcus Nohlberg and Stewart Kowalski. The cycle of deception: a model of social engineering attacks, defenses and victims. In Second International Symposium on Human Aspects of Information Security and Assurance (HAISA 2008), pages 1–11, Plymouth, UK, July 8-9 2008.
[19]F. Mouton, M. M. Malan, L. Leenen, and H. S. Venter. Social engineering attack framework. In 2014 Information Security for South Africa, pages 1–9, Aug 2014.
[20]Francois Mouton, Louise Leenen, Mercia M. Malan, and H. S. Venter. Towards an ontological model defining the social engineering domain. In 11th IFIP TC 9 International Conference on Human Choice and Computers (HCC11 2014), pages 266–279, Turku, Finland, July 31 – August 1, 2014.
[21]Jose J. Gonzalez, Jose M. Sarriegi, and Alazne Gurrutxaga. A framework for conceptualizing social engineering attacks, pages 79–90. Samos, Greece, August 31 - September 1, 2006.
[22]Pekka Tetri and Jukka Vuorinen. Dissecting social engineering. Behaviour & Information Technology, 32(10):1014–1023, 2013.
[23]Sherly Abraham and InduShobha Chengalur-Smith. An overview of social engineering malware: trends, tactics, and implications. Technology in Society, 32(3):183 – 196, 2010.
[24]Richard Dawkins. The selfish gene. 1976.
[25]Dale Carnegie. How to win friends and influence people. Simon and Schuster, 2010.
[26]R. Bhakta and I. G. Harris. Semantic analysis of dialogs to detect social engineering attacks. In Semantic Computing (ICSC), 2015 IEEE International Conference on, pages 424–427, Feb 2015.
[27]Tolga Mataracioglu, Sevgi?zkan, and Ray Hackney. Towards a security lifecycle model against social engineering attacks: SLM-SEA. CoRR, abs/1507.02458, 2015.
[28]Andrew Mathews. Why worry? the cognitive function of anxiety. Behaviour Research and Therapy, 28(6):455 – 468, 1990.
[29]M. Bezuidenhout, F. Mouton, and H. S. Venter. Social engineering attack detection model: SEADM. In 2010 Information Security for South Africa, pages 1–8, Aug 2010.
[30]Francois Mouton, Mercia M Malan, and Hein S Venter. Development of cognitive functioning psychological measures for the seadm. In HAISA, pages 40–51, 2012.
[31]F. Mouton, L. Leenen, and H. S. Venter. Social engineering attack detection model: Seadmv2. In 2015 International Conference on Cyberworlds (CW), pages 216–223, Oct. 2015.